Data Protection Declaration
Data protection is of a high priority for us — and presumably for you too. With this data protection declaration, we inform you which personal data (hereinafter also referred to as “Data”) are processed by us in relation to our websites (hereinafter referred to as “Websites”) and what your rights are. The data protection declaration also serves to implement our ob-ligations under § 13 of the German Telemedia Act (TMG) and Article 13 of the Regulation (EU) 2016/679 of the European Parliament Council, of 27 April 2016, regarding the protec-tion of individuals in terms of the processing of personal data, on the free movement of such data and the revocation of Directive 95 /46/EC (General Data Protection Regulation, GDPR).
COLORS AND THE KIDS
Gerbert Schulze Bluhm GbR
Schönhauser Allee 163, 10435 Berlin, Germany
Phone: +49 30 54 73 42 50
This Data Protection Declaration uses the following terms within the meaning of the General Data Protection Regulation:
“Personally identifiable information” is any information relating to an identified or identifiable natural person(hereafter referred to as “the data subject”); natural person is regarded as identifiable if he/she can be identified directly or indirectly, in particular by means of assignment to an identifier such as a name, an identification number, location data, an online ID, or one or more special features, the expression of physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; “Processing” is any process, performed with or without the help of automated procedures, and/or any such process relating to personal data, such as collecting, capturing, organizing, mapping, storage, adaptation or change, reading, consultation, use, disclosure by transmission, dissemination or any other form of deployment, matching or linking, the constraint, deletion, or destruction; “Controller” is the natural or legal person, authority, body or other organization which, alone or jointly with others, decides on the purposes and means of processing the personal data; “Processor” refers to a natural or legal person, public authority, body or other organization who or which processes personal data on behalf of the Controller; “Receiver” is a natural or legal person, public authority, agency or another body, whose personal data is disclosed, regardless of whether it relates to a third party or not. Authorities, in the context of a specific investigation order, pursuant to Union law or Member State law, who may receive personal data, are not considered as the receiver; the processing of this data by the authorities referred to shall be made in accordance with the applicable data protection legislation in accordance with the processing purposes; “Third party” means a natural or legal person, public authority, agency or another body, other than the data subject, the Controller, the Processor and the persons authorized under the direct responsibility of the Controller, or the Processor to process the personal data; “Consent” of the data subject shall mean any expression of will voluntarily given in a particular case, in an informed and unambiguous manner, in the form of a declaration or other clear confirmation, by which the data subject states that he or she is in agreement with the processing of the personal data concerning him or her, giving his/her consent; “cross-border processing” means either the processing of personal data carried out in the context of the activities of establishments of the Controller or Processor in the Union, in more than one Member State, where the Controller or Processor has subsidiaries in more than one Member State; or
the processing of personal data carried out in the context of the activities of an individual subsidiary of a Controller or Processor in the Union, which, however, has or may have a significant impact on data subjects in more than one Member State.
3. Type, Scope and Purpose of Processing, Legal Grounds
3.1 The following types of data is processed by us:
Customer data (e-mail) if the users chooses to enter in our newsletter;
Content (text, images, videos);
Usage data (websites visited, access times, location, etc.).
Communication data (device information, IP addresses, etc.).
Contract data (contractual text)
3.2 The following categories of data subjects are outlined:
Visitors to our websites (hereinafter also referred to as “Users”) as well as other in-terested parties, contestants;
Buyers of our goods and Customers of our services (hereinafter referred to as “Customers”); other business partners.
3.3 The processing of the data was carried out for the following purposes, using the following legal grounds:
Presentation, maintenance and improvement of our websites including all functions for Users, and for evidence; this is done on the basis of Article 6, paragraph 1, letter f of the GDPR (safeguarding our legitimate interests). Communication and usage data are processed and data will not be passed on to third parties unless there is a legal obligation to do so (Article 6, paragraph 1, letter c of the GDPR). Processing of usage data (websites visited, products viewed) and content for advertising purposes, in particular for personalized product information; this is done on the basis of Article 6, paragraph 1, letter f of the GDPR (safeguarding our legitimate interests). Responses to requests via a contact form, e-mail correspondence with Users and Customers, for competitions; processing is carried out on the basis of Article 6, paragraph 1, letter b of the GDPR.
Creating a User account. Upon the creation or modification of a User account for our websites, Customer and contract data and, where applicable, content, is processed in order to provide the services within the framework of the websites for registered Users, Article 6, paragraph 1, letter b of the GDPR; in addition, communication data may be used for evidential purposes and for protection against the abuse of processing functions, Article 6, paragraph, letter f of the GDPR (safeguarding our legitimate interests). Customer data and contract data are processed for the execution of contractual obligations towards Customers and other contractual partners. Insofar as data to be entered in forms are marked as mandatory, these are necessary for the fulfillment of the stated purpose. The processing is carried out on the basis of Article 6 (1), letters (b) and (c) of the GDPR. To display User’s own content. If necessary, the User can post their own content in forums or similar functions on our websites; this is generally done anonymously. IP addresses are stored for evidentiary reasons and therefore done as per legitimate interests in accordance with Article 6, paragraph, 1 letter f, of the GDPR.
Self-marketing purposes; upon consent, the processing is carried out in accordance with Article 6, paragraph, 1 letter a, as well as Article 7 of the GDPR, moreover, in order to safeguard our legitimate interests, also: Article 6, paragraph 1, letter f of the GDPR. If our processing is based on further legal grounds, they will be stated below in additional explanations.
4. Recipients of Data, Third Countries
Insofar as it is necessary for the delivery of the products ordered by Customers, data will be passed on to the shipping company commissioned with the delivery. For payment processing, the data required in the payment transactions (name, account data, e-mail address, purchase price) may be passed on by us to a payment service provider and/or to a credit institution commissioned with the payment, such as PayPal. Other categories of recipients include hosting providers, participants in the ERP and financial accounting system, and/or external service providers and suppliers if required.
The transfer and disclosure of data to Recipients, Processors or third parties takes place exclusively within the framework of legal grounds (see section 2.4 above), or if a further legal obligation exists. Access to data for Processors was granted in strict compliance with Article 28 of the GDPR. Data processing in a third country (outside the European Union (EU) or European Economic Area (EEA) is carried out in accordance with Articles 44 to 50 of the GDPR. The processing is carried out at a level of data protection that complies with the GDPR, in particular through guarantees by the Processors, e.g. on the basis of the agreement between the EU and the USA in accordance with the US Privacy Shield (hereinafter also “Privacy Shield”), or on the basis of special contractual obligations (standard contractual clauses).
5. Deletion of Data
Deletion of data is carried out on the basis of Article 17 and 18 of the GDPR; the same applies to the restriction of processing and blocking of data. The deletion or limited processing of the data takes place if and insofar as they are no longer necessary for the achievement of a specified purpose, unless deletion is prohibited by law (e.g. retention obligations under commercial or tax law), or otherwise agreed.
According to § 257 of the German Commercial Code (HGB) and § 147 paragraph 1 of the Tax Code (AO), every merchant is obliged in particular to keep trading books and records, inventories, opening balances, working instructions, annual accounts, other organizational documents, as well as accounting documents, for ten years; for commercial and business correspondence, a period of six years shall apply.
“Cookies” are small files that are stored on Users’ computers containing a variety of information. They are used to establish the identity of the User and his/her device and to secure information provided by the User during the visit. In addition to temporary cookies (“session cookies”, e.g. content of a shopping cart), which are deleted after the User leaves the web pages and closes the browser. Persistent cookies (e.g. for last login, websites viewed) are not deleted after the User leaves the website. In the case of so-called “third party cookies”, the cookies are not the Controller’s, but a third party’s.
You can prevent cookies from being stored on your computer. In your browser settings, you can select the option that cookies are not allowed in general and/or in relation to specific pages. You can also delete existing cookies here. As a precaution, it is pointed out that our website functions may be limited if cookies are disabled or removed.
We work with hosting partners to maintain, restore and improve our services, in particular with regard to storage space, computing capacity, databases, infrastructure, maintenance, and similar services. This may result in the processing of data in accordance with Section 2.1 of this Data Protection Declaration; in particular, the collection of server log files (server access). The processing takes place on the basis of a legitimate interest on our site, in accordance with Article 6, paragraph 1, letter f of the GDPR in conjunction with Article 28 of the GDPR. The deletion of the data takes place no later than seven days after the storage process is completed; this does not apply if the retention is necessary for evidentiary reasons— the deletion then takes place once the evidentiary purpose has ceased to be necessary.
When subscribing to the newsletter, your e-mail address will be used for the site’s advertis-ing purposes (sending emails), until you unsubscribe from the newsletter. You can unsub-scribe at any time. In this case, you may have expressly given us the following consent and we have logged your consent. We are obliged to keep the content of the given consent and make it available on demand at any time. You can revoke your consent at any time, which will be effective going forward. Repetition of the consensual text for the newsletter:
„[ ] I would like to receive interesting offers on a regular basis via email. My email ad-dress will not be shared with other companies. I can revoke the consent of the use of my e-mail address for advertising purposes at any time, which will be effective going forward, by clicking on the “Unsubscribe” link at the end of the newsletter, or by sending an email to [e-mail address], asking for revocation. “
Registration takes place via the so-called “double opt-in procedure”. After registering, you will be asked to confirm the subscription to the newsletter, via e-mail. The registration is logged for evidentiary purposes, concurrently the usage data (time registration and confirmation, IP address) are processed. The legal basis for this is your consent in accordance with Article 6, paragraph 1, letter a, Article 7 of the GDPR, together with § 7 of the Law against Unfair Competition (UWG); the logging takes place on the basis of legal requirements (Article 6, paragraph 1, letter c of the GDPR) as well as to safeguard our legitimate interests (Article 6, paragraph 1 letter f of the GDPR).
The newsletter is sent via the shipping service provider “MailChimp”, a newsletter delivery platform belonging to the US provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. For this purpose, your e-mail address, as well as usage and communication data, will also be processed by MailChimp. The use of the shipping service provider is based on our legitimate interests (Article 6, paragraph 1, letter f of the GDPR) and an order processing contract (Article 28, paragraph 3, sentence 1 of the GDPR). You can find out more about data protection of the service provider at https://mailchimp.com/legal/privacy/. MailChimp is certified under the Privacy Shield Agreement (https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active).
You can revoke your consent to receiving the newsletter at any time by clicking on the “Un-subscribe” link at the end of the newsletter, or by sending an email to us outlining your revocation. E-mail addresses may remain stored for up to three years after revocation to safeguard our legitimate interests, in order to prove that the required consent for the newsletters which had been sent up to the revocation, had been received.
9. Rights of Data Subjects
According to the GDPR, you have various rights relating to your data: You may request confirmation as to whether the concerned data is being processed; if this is the case, you may request information about this data, as well as further information, and a copy of the data in question, Article 15 of the GDPR. You have the right to request the correction of incorrect personal data and the completion of incomplete personal data with immediate effect, Article 16 of the GDPR.
You may request that data in question be deleted immediately (Article 17 GDPR) or restricted in relation to processing (Article 18 of the GDPR). Under the conditions set out in Article 20 of the GDPR, you have the right to receive any data provided by you, as well as the right to transmit such data to another Controller, without us hindering you to do so.
You can file a complaint with the competent supervisory authority in accordance with Article 77 of the GDPR. In accordance with Article 7 , paragraph 3 of the GDPR, you may revoke your con-sent, effective going forward, and object to any future processing of your data in accordance with Article 21 of the GDPR, at any time.